b'          FEDERAL HOUSING FINANCE AGENCY\n            OFFICE OF INSPECTOR GENERAL\n\n\n\n              Evaluation of FHFA\xe2\x80\x99s Oversight of\n         Fannie Mae\xe2\x80\x99s Management of Operational Risk\n\n\n\n\nEvaluation Report: EVL-2011-004         Dated: September 23, 2011\n\x0c                         Evaluation of FHFA\xe2\x80\x99s Oversight of Fannie Mae\xe2\x80\x99s Management of\n                                                Operational Risk\n\nWhy FHFA-OIG Did This Evaluation                                     What FHFA-OIG Found\nThe Federal Housing Finance Agency (FHFA or the Agency) is           Between 2006 and early 2011, FHFA and its predecessor agency\nrequired to oversee the prudential operations of the Federal         repeatedly found that Fannie Mae had not established an acceptable and\nNational Mortgage Association (Fannie Mae) and the Federal           effective operational risk management program despite outstanding\nHome Loan Mortgage Corporation (Freddie Mac)                         requirements to do so. Nonetheless, FHFA has not taken decisive\n(collectively the Enterprises), and \xe2\x80\x93 through examinations \xe2\x80\x93         action to compel Fannie Mae to create and administer an operational risk\ndetermine whether they operate in a safe and sound manner.           management program. As Fannie Mae\xe2\x80\x99s regulator and conservator,\nAdditionally, in September 2008, FHFA placed the                     FHFA\xe2\x80\x99s authority over the Enterprises is broad and includes the ability\nEnterprises into conservatorships to preserve their assets and       to discipline or remove Enterprise personnel to ensure compliance with\nminimize taxpayer losses.                                            Agency mandates. But to date, FHFA has not exercised this or other\n                                                                     authorities. Instead, FHFA has pursued the matter principally through\nFHFA views operational risk management as an important\n                                                                     less forceful supervisory means, such as conducting ongoing operational\nfinancial safety and soundness challenge facing the Enterprises.\n                                                                     risk examinations and issuing Matters Requiring Attention, which\nThe Agency defines operational risk as the\n                                                                     were ineffective during the period.\nrisk of loss resulting from failed people, processes, or systems,\nor from external events (such as foreclosure abuses). In             Fannie Mae\xe2\x80\x99s lack of an acceptable and effective operational risk\nSeptember 2008, FHFA issued guidance requiring the                   management program may have resulted in missed opportunities\nEnterprises to develop and implement programs to identify,           to strengthen the oversight of law firms it contracts with to process\nreport, and remedy operational risks. Effective operational          foreclosures. For example, in a May 2006 internal report, Fannie Mae\nrisk management programs can assist FHFA\xe2\x80\x99s safety and                learned that attorneys acting on its behalf in Florida and elsewhere had\nsoundness examiners to identify trends in such risks and focus       filed false documents in foreclosure proceedings. The report further\ntheir examinations accordingly.                                      stated that Fannie Mae did not oversee the quality of these attorneys\xe2\x80\x99\n                                                                     representation or the legal positions taken in their pleadings.\nFHFA has reported that Fannie Mae has not taken acceptable\n                                                                     Nonetheless, in a 2011 preliminary report FHFA concluded that Fannie\nsteps to establish an operational risk management program.\n                                                                     Mae still had not acted on the recommendations to improve its attorney\nFHFA\xe2\x80\x99s Office of Inspector General (FHFA-OIG) initiated\n                                                                     oversight contained in the 2006 report.\nthis evaluation to assess FHFA\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s\nefforts to establish an acceptable operational risk management       According to FHFA, Fannie Mae has recently made improvements in\nprogram.                                                             its operational risk program, and the Agency expects that the\n                                                                     Enterprise will have an acceptable program in place no later than the\nWhat FHFA-OIG Recommends                                             first quarter of 2012. Given Fannie Mae\xe2\x80\x99s history of non-compliance,\nFHFA-OIG recommends that FHFA closely monitor Fannie                 FHFA-OIG believes that the Agency must exercise maximum\nMae\xe2\x80\x99s implementation of its operational risk management              diligence and take forceful action to ensure that Fannie Mae meets the\nprogram; exercise its broad conservatorship or enforcement           Agency\xe2\x80\x99s expectations in this regard. Otherwise, FHFA\xe2\x80\x99s safety and\nauthority to compel Fannie Mae to establish an operational           soundness examination program, as well as its delegated approach to\nrisk program, if the Enterprise fails to do so by the end of first   conservatorship management, may be adversely affected.\nquarter 2012; and ensure that Fannie Mae has qualified\npersonnel to implement its plan.\n\nEvaluation Report: EVL-2011-004                                                                      Dated: September 23, 2011\n\x0cTABLE OF CONTENTS\n\nTABLE OF CONTENTS ................................................................................................................ 3\n\nABBREVIATIONS ........................................................................................................................ 5\n\nPREFACE ....................................................................................................................................... 6\n\nBACKGROUND .......................................................................................................................... 10\n           Overview of the Enterprises and FHFA............................................................................ 10\n           FHFA\xe2\x80\x99s Examination Program is the Primary Means by Which the Agency\n           Monitors the Enterprises\xe2\x80\x99 Financial Safety and Soundness .............................................. 11\n           Definition of Operational Risk and the Key Components of an Effective\n           Enterprise Risk Management Program ............................................................................. 12\n           Operational Risk Management Program Requirements Offer Important Benefits\n           for FHFA\xe2\x80\x99s Examination Program and Its Delegated Approach to Managing the\n           Conservatorships ............................................................................................................... 14\n           FHFA Repeatedly Found that Fannie Mae Did Not Establish an Acceptable and\n           Effective Operational Risk Management Program ........................................................... 14\n\nFINDINGS .................................................................................................................................... 19\n           1. FHFA Repeatedly Found that Fannie Mae Had Not Developed an Acceptable\n           and Effective Operational Risk Management Program, but FHFA Did Not Take\n           Decisive Steps to Ensure Compliance by the Enterprise .................................................. 19\n           2. Foreclosure Processing Abuses in Florida and Elsewhere Illustrate the\n           Potential Negative Consequences of Fannie Mae\xe2\x80\x99s Failure to Establish an\n           Effective Operational Risk Management Program ........................................................... 20\n           3. FHFA Must Ensure that Fannie Mae Fully Implements Its Operational Risk\n           Management Program ....................................................................................................... 22\n\nCONCLUSION ............................................................................................................................. 23\n\nRECOMMENDATIONS .............................................................................................................. 23\n\nSCOPE AND METHODOLOGY ................................................................................................ 24\n\nAPPENDIX A ............................................................................................................................... 25\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                                       3\n\x0c          FHFA\xe2\x80\x99S Comments on Findings and Recommendation .................................................. 25\n\nAPPENDIX B ............................................................................................................................... 28\n          FHFA-OIG\xe2\x80\x99S Response to FHFA\xe2\x80\x99S Comments ............................................................... 28\n\nADDITIONAL INFORMATION AND COPIES ........................................................................ 30\n\n\n\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                                     4\n\x0cABBREVIATIONS\nCRO ..................................................................................................................... Chief Risk Officer\nFannie Mae......................................................................... Federal National Mortgage Association\nFHFA ........................................................................................... Federal Housing Finance Agency\nFHFA-OIG ...................................... Federal Housing Finance Agency Office of Inspector General\nFreddie Mac .................................................................. Federal Home Loan Mortgage Corporation\nHERA.......................................................................Housing and Economic Recovery Act of 2008\nMBS ..................................................................................................... Mortgage-Backed Securities\nMRA ...................................................................................................... Matter Requiring Attention\nOFHEO ................................................................. Office of Federal Housing Enterprise Oversight\nTreasury ........................................................................................ U.S. Department of the Treasury\n\n\n\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                                     5\n\x0c                                     Federal Housing Finance Agency\n\n                                        Office of Inspector General\n\n                                               Washington, DC\n\n\n\n\n                                             PREFACE\nFHFA-OIG was established by the Housing and Economic Recovery Act of 2008 (HERA),\nwhich amended the Inspector General Act of 1978. FHFA-OIG is authorized to conduct audits,\ninvestigations, and other studies of the programs and operations of FHFA; to recommend\npolicies that promote economy and efficiency in the administration of such programs and\noperations; and to prevent and detect fraud and abuse in them. This evaluation is one in a series\nof audits, evaluations, and special reports published as part of FHFA-OIG\xe2\x80\x99s oversight\nresponsibilities. It is intended to assess FHFA\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s development and\nimplementation of an operational risk management program.\n\nFannie Mae and Freddie Mac are government-sponsored enterprises that support the nation\xe2\x80\x99s\nhousing finance system. They do so by purchasing mortgages from loan sellers; in turn, the sales\nproceeds may be used to originate additional mortgages.\n\nFHFA is required to oversee the prudential operations of the Enterprises and \xe2\x80\x93 through\nexaminations \xe2\x80\x93 determine whether they operate in a safe and sound manner; maintain adequate\ncapital and internal controls; foster liquid, efficient, competitive, and resilient housing finance\nmarkets; and operate in a manner consistent with the public interest. Additionally, in September\n2008, FHFA placed the Enterprises into conservatorships to preserve and conserve their assets\nand minimize taxpayer losses.\n\nAccording to an FHFA official, operational risk presents a considerable financial safety and\nsoundness concern for the Enterprises. FHFA defines operational risk as \xe2\x80\x9c\xe2\x80\xa6exposure to loss\nfrom inadequate or failed internal processes, people, and systems, or from external events\n(including legal events).\xe2\x80\x9d1 For example, an operational risk would include allegations reported\nin the summer of 2010 that: (1) Fannie Mae and Freddie Mac had failed to oversee adequately\n\n\n\n\n1\n    Enterprise Guidance on Operational Risk Management, September 2008.\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                        6\n\x0ctheir networks of law firms that process foreclosures on their behalf; and (2) some of those firms\nfiled false documents in judicial foreclosure proceedings.2\n\nThe failure to effectively manage this operational risk has come at a cost to FHFA and the\nEnterprises. FHFA initiated targeted examinations of the Enterprises\xe2\x80\x99 oversight of their attorney\nnetworks, and the Enterprises have incurred legal costs associated with their alleged failure to\nmanage the risks associated with them.\n\nFHFA policy requires the Enterprises to develop programs to manage operational risks by\nidentifying them, reporting them to their respective boards of directors and FHFA, and\nmitigating them. Moreover, FHFA safety and soundness examiners may use Enterprise\noperational risk reports and other materials to identify trends in operational risks and focus their\nexaminations accordingly. The importance that FHFA places upon Enterprise operational risk\nmanagement programs is highlighted by the fact that the Agency warned the Enterprises that\ntheir failure to establish such programs could subject them and their officers to supervisory\nenforcement actions, including civil monetary penalties and removal.\n\nIn its 2009 report to Congress, FHFA stated that Fannie Mae\xe2\x80\x99s\nprogram represented a \xe2\x80\x9cCritical Concern;\xe2\x80\x9d3 this is the most           Levels of Concern\nserious regulatory classification of financial, non-financial,            (in ascending order)\noperational, and compliance weaknesses. FHFA further noted               None or Minimal\nthat Fannie Mae was not in compliance with a 2006 Consent                       Limited\nOrder \xe2\x80\x93 issued by FHFA\xe2\x80\x99s predecessor, the Office of Federal                   Significant\nHousing Enterprise Oversight (OFHEO) \xe2\x80\x93 under which it was                       Critical\nrequired to establish an operational risk management program\nby 2009. Specifically, FHFA stated that, \xe2\x80\x9c[w]eaknesses continued in the overall effectiveness of\ngovernance and oversight, risk reporting, program design, and program implementation, as\nevidenced by significant, high-profile operational events during the year.\xe2\x80\x9d4\n\nGiven the importance of Enterprise operational risk management to FHFA\xe2\x80\x99s examination\nprogram and to its delegated approach to managing the conservatorships,5 FHFA-OIG initiated\n2\n  Fannie and Freddie\xe2\x80\x99s Foreclosure Barons, Mother Jones, August 4, 2010. FHFA officials said that the issues\nraised in the article and subsequent Agency examinations constitute operational risks.\n3\n According to FHFA\xe2\x80\x99s Division of Enterprise Regulation Handbook dated June 16, 2009, \xe2\x80\x9cEnterprises with critical\nsafety and soundness concerns exhibit severe financial, non-financial, operational, or compliance weaknesses.\xe2\x80\x9d\n4\n  FHFA, Report to Congress 2009, May 25, 2010. See www.fhfa.gov/webfiles/15784/FHFA-\nRepToCongress52510.pdf. FHFA\xe2\x80\x99s 2008 report to Congress similarly stated that Fannie Mae had significant work\nto do to develop and implement a robust operational risk function.\n5\n  FHFA\xe2\x80\x99s philosophy is to delegate day-to-day operations to the Enterprises. On November 24, 2008, FHFA\nclarified its role as conservator by identifying Enterprise activities that require its approval in advance. These\ninclude, among others, reasonably foreseeable material increases in operational risk, actions deemed likely to cause\nsignificant reputational risk, and legal settlements with a value of $50 million or more. FHFA\xe2\x80\x99s Acting Director has\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                         7\n\x0cthis evaluation to assess the Agency\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s efforts to develop an acceptable\noperational risk program.6 FHFA-OIG found that:\n\n         \xef\x82\xb7    For the five-year period from 2006 until early 2011, FHFA repeatedly found that\n              Fannie Mae had missed regulator-established deadlines for it to create and implement\n              an acceptable and effective operational risk management program. Despite these\n              repeated findings, FHFA has not taken decisive action to compel Fannie Mae to\n              implement an acceptable and effective operational risk management program.\n\n         \xef\x82\xb7    Fannie Mae\xe2\x80\x99s lack of an acceptable and effective operational risk management\n              program may have resulted in missed opportunities to correct weaknesses in the\n              Enterprise\xe2\x80\x99s oversight of law firms that process foreclosures on its behalf. Some of\n              those law firms allegedly engaged in fraudulent practices, such as filing false\n              documents in foreclosure proceedings.\n\n         \xef\x82\xb7    FHFA officials claimed that, due to the Agency\xe2\x80\x99s oversight efforts, Fannie Mae has\n              made recent improvements to its operational risk management program, and FHFA\n              expects the Enterprise to have an approved program established by the end of the first\n              quarter of 2012. However, given Fannie Mae\xe2\x80\x99s poor track record in developing and\n              implementing such a program since at least 2006, FHFA-OIG believes that the\n              Agency must exercise its broad conservatorship or enforcement authority to compel\n              Fannie Mae to establish an acceptable and effective operational risk program if the\n              Enterprise fails to do so by the end of first quarter 2012.\n\nFHFA-OIG believes that the recommendations in this report will result in more economical,\neffective, and efficient operations. FHFA-OIG appreciates the assistance of all those who\ncontributed to the preparation of this report.\n\nThis evaluation was led by Investigative Counsel Joseph Capone and Senior Policy Advisor\nWesley Phillips.\n\n\n\n\nstated that, beyond these specified activities, the Enterprises are generally responsible for their daily operations and\nbusiness activities despite their having been placed into conservatorships. Thus, FHFA will not use its sweeping\npowers under HERA to manage every aspect of the Enterprises\xe2\x80\x99 operations.\n6\n This evaluation began as a survey of FHFA\xe2\x80\x99s oversight of the Enterprises\xe2\x80\x99 internal controls of their mortgage loan\nservicers\xe2\x80\x99 foreclosure prevention and loss mitigation efforts. Facts developed during the survey resulted in a more\nspecific evaluation of FHFA\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s management of operational risk.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                            8\n\x0cThis evaluation report has been distributed to Congress, the Office of Management and Budget,\nand others and will be posted on FHFA-OIG\xe2\x80\x99s website, www.fhfaoig.gov.\n\n\n\n\nRichard Parker\nActing Deputy Inspector General for Evaluations\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                    9\n\x0cBACKGROUND\nOverview of the Enterprises and FHFA\n\nFannie Mae and Freddie Mac developed and support what is commonly known as the secondary\nmortgage market to fulfill their charter and legislative obligations to provide liquidity to, and\nsupport for, the national mortgage finance system. In the secondary mortgage market the\nEnterprises purchase mortgages that meet their underwriting criteria from loan sellers, such as\nbanks and other mortgage originators. The loan sellers can then use the proceeds from these\nsales to originate additional mortgages. The Enterprises may hold the mortgages they purchase\nin their investment portfolios or securitize and sell them to investors as Mortgage-Backed\nSecurities (MBS). In exchange for a fee, the Enterprises guarantee that the MBS investors will\nreceive timely payment of principal and interest on their investments.\n\nThe Federal Housing Enterprises Financial Safety and Soundness Act of 1992 established risk-\nbased and minimum capital standards for Fannie Mae and Freddie Mac. It also established\nhousing goals for financing affordable housing in underserved areas. Additionally, it created\nOFHEO as a new regulator of the Enterprises with the responsibility to conduct examinations of\nthem and to determine their capital levels.7\n\nOFHEO required the Enterprises to develop operational risk management programs.8 As\nenvisioned by OFHEO, the Enterprises\xe2\x80\x99 operational risk management programs would feed data\nto its examiners who, in turn, would use the data to identify the level of \xe2\x80\x93 and trends in \xe2\x80\x93\noperational risk at the Enterprises. OFHEO expected that both Enterprises would develop\nstandardized programs to supply OFHEO with comparable information from which it could\ndetermine, for example, the relative effectiveness of each Enterprise\xe2\x80\x99s risk management and\ninternal controls. Further, OFHEO planned to use Enterprise-generated operational risk data \xe2\x80\x9cin\nits continuous supervision program, to scope targeted exams, and as input for quarterly risk\nassessments and the determination of overall capital adequacy.\xe2\x80\x9d9\n\nOn July 30, 2008, HERA abolished OFHEO10 and established FHFA11 in its place. Pursuant to\nHERA, FHFA is required to oversee the prudential operations of the Enterprises and \xe2\x80\x93 through\n7\n    See Public Law No. 102-550 \xc2\xa7 1313.\n8\n \xe2\x80\x9cThese requirements [to collect operational event data and report it to OFHEO] are consistent with the safety and\nsoundness responsibilities of OFHEO under the Federal Housing Enterprises Financial Safety and Soundness Act of\n1992.\xe2\x80\x9d Letter to Richard F. Syron from Director, OFHEO, dated August 10, 2007.\n9\n    Id.\n10\n See Public Law No. 110-343 \xc2\xa7 1301. The completion of OFHEO\xe2\x80\x99s abolishment was envisioned to take 12\nmonths, beginning with the enactment of HERA.\n11\n     See id. at \xc2\xa7 1101.\n           Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                        10\n\x0cexaminations \xe2\x80\x93 to determine whether they operate in a safe and sound manner; maintain adequate\ncapital and internal controls; foster liquid, efficient, competitive, and resilient housing finance\nmarkets; and operate consistent with the public interest.\n\nOn September 6, 2008, due to the Enterprises\xe2\x80\x99 mounting mortgage-related losses, FHFA\ndetermined that they were \xe2\x80\x9ccritically undercapitalized\xe2\x80\x9d and, as provided for under HERA, placed\nthem into conservatorships. As the Enterprises\xe2\x80\x99 conservator, FHFA assumed responsibility for\npreserving and conserving their assets. To fulfill its responsibility, HERA provides FHFA with\nall the powers of the Enterprises\xe2\x80\x99 shareholders, directors, and officers.12\n\nOn September 23, 2008, OFHEO/FHFA issued its Enterprise Guidance on Operational Risk\nManagement (Guidance), noting that \xe2\x80\x9cthe effective management of operational risk is required to\nsupport Enterprise safety and soundness.\xe2\x80\x9d13 The Guidance is based on special examinations of\nFannie Mae and Freddie Mac initiated in 2003 and 2004, respectively. Those examinations\nrevealed serious deficiencies in the way that the Enterprises managed their operational risk and\ncategorized them as a \xe2\x80\x9ccritical supervisory concern.\xe2\x80\x9d Additionally, the Guidance formally\nrequires the Enterprises to develop and implement operational risk programs.\n\nFHFA\xe2\x80\x99s Examination Program is the Primary Means by Which the Agency\nMonitors the Enterprises\xe2\x80\x99 Financial Safety and Soundness\n\nFHFA\xe2\x80\x99s safety and soundness examination program is the primary means by which the Agency\nmonitors the Enterprises\xe2\x80\x99 financial conditions and operations. Pursuant to this program, FHFA\nconducts periodic examinations of the Enterprises to assess, among other things, their credit,\nmarket, and operational risk management programs and practices.14 FHFA can take a variety of\nsteps based on its examination findings to ensure that the Enterprises correct deficiencies noted\nby the examiners. Among them is the designation of a risk as a Matter Requiring Attention\n(MRA).\n\nMRAs are used to identify issues of supervisory concern that warrant special attention by the\nEnterprise to ensure that corrective action is appropriately planned and executed. FHFA policy\nis to follow-up on MRAs to ensure that the Enterprise\xe2\x80\x99s response is appropriate, timely, and\neffective. Further, FHFA has regulatory authority to initiate formal enforcement actions, such as\n\n12\n     See id. at \xc2\xa7 1145.\n13\n     Enterprise Guidance on Operational Risk Management (PG-08-002) at pp. 1-4.\n14\n   Credit risk is the risk that borrowers will default on their obligations such as mortgage loans. Market risk, which\nincludes interest rate risk, arises from the adverse effects of changes in interest rates or foreign exchange rates.\nFHFA guidance states that market risk can also cause liquidity risk which arises when an Enterprise is unable to: (1)\nliquidate assets or obtain adequate funding in order to meet obligations when they come due; or (2) easily unwind or\noffset specific exposures without significantly lowering market prices because of inadequate market depth or large\nmarket disruptions.\n\n           Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                         11\n\x0cthe issuance of cease and desist orders and the imposition of civil monetary penalties, to compel\nthe Enterprises to correct deficiencies identified in examinations or through other means. FHFA\nalso has conservatorship authority to control and direct the Enterprises\xe2\x80\x99 operations, including the\npower to remove or replace personnel.\n\nDefinition of Operational Risk and the Key Components of an Effective\nEnterprise Risk Management Program\n\nFHFA\xe2\x80\x99s definition of operational risk is broad and applies to the full range of the Enterprises\xe2\x80\x99\nbusiness activities. Operational risk is defined as, \xe2\x80\x9c\xe2\x80\xa6exposure to loss resulting from inadequate\nor failed internal processes, people, and systems, or from external events (including legal\nevents).\xe2\x80\x9d15\n\nSpecific examples of Enterprise operational risk include:16\n\n           \xef\x82\xb7   Outdated information technology systems. Related deficiencies include system\n               complexity, poor system integration, inadequate data management, and multiple\n               interfaces that create the need for manual workarounds and multiple data\n               reconciliation efforts. Inflexible, proprietary technology often necessitates the use of\n               inefficient and poorly controlled end-user computers for long periods. FHFA has\n               stated that such deficiencies have impeded the Enterprises\xe2\x80\x99 ability to close monthly\n               financial statements, as well as convert certain mortgages into MBS.\n\n           \xef\x82\xb7   Inadequate internal controls. This deficiency involves the failure to manage and\n               control a variety of operations and processes. For example, FHFA has stated that the\n               Enterprises have not been able to consistently demonstrate robust and effective\n               mortgage servicer performance management. Such oversight is essential because\n               mortgage servicers perform a variety of functions on behalf of the Enterprises,\n               including modifying delinquent mortgages and conducting foreclosures. Recently,\n               the Enterprises have been subject to intense Congressional, public, and regulatory\n               criticism for failing to oversee adequately the law firms they retained to conduct\n               foreclosures, which is also an operational risk. As discussed later in this evaluation\n               report, FHFA-OIG believes that Fannie Mae\xe2\x80\x99s failure to establish an acceptable and\n               effective operational risk management program represents a potential missed\n               opportunity to identify and correct abusive foreclosure practices at an earlier point in\n               time.\n\n\n15\n     Enterprise Guidance on Operational Risk Management (PG-008-002), September 23, 2008.\n16\n  The examples in this section are derived from FHFA\xe2\x80\x99s Report to Congress 2010 (June 13, 2011). See\nhttp://www.fhfa.gov/webfiles/21570/FHFA2010RepToCongress61311.pdf.\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                       12\n\x0cThe Guidance issued by OFHEO/FHFA on September 30, 2008, specified OFHEO/FHFA\xe2\x80\x99s\nexpectations for the Enterprises\xe2\x80\x99 operational risk management programs and identified four key\nfeatures for such programs:\n\n           a. Operational risk identification and assessment: Each Enterprise\xe2\x80\x99s board of directors\n              should review and approve a definition of operational risk, and management is\n              responsible for communicating it throughout the organization. Each Enterprise\n              should also develop processes and mechanisms for identifying operational risks.\n              These processes and mechanisms should include an operational event reporting\n              system that is closely tied to a system by which to assess promptly the causes of such\n              events. The Enterprises should also collect meaningful data to support cause and\n              effect analyses and routinely validate and test its processes.\n\n           b. Measurement and modeling: Each Enterprise should develop models to provide\n              management with accurate assessments of the magnitude and direction of identified\n              operational risks. The models should be: (1) consistently applied throughout each\n              Enterprise; (2) derived from valid data from adequate data systems; (3) tested for\n              sensitivity to changes in data or assumptions; and (4) periodically validated by an\n              independent party. The system should also be able to assess the potential financial\n              losses associated with operational risks and events.\n\n           c. Reporting: Each Enterprise should develop a system under which operational risks\n              are reported to management and the boards of directors to inform their assessments of\n              the operational risks and permit them to identify corrective actions. Separate\n              regulatory guidance dating from 2007, which remains in effect, requires the\n              Enterprises to report operational events to FHFA.17\n\n           d. Risk management decision-making: Each Enterprise should select strategies by\n              which to manage its operational risks including, among others, avoidance, transfer,\n              mitigation, and monitoring. The selection of risk management strategies should be\n              informed by the employment of one or more decision frameworks, such as cost\n              benefit analysis. Further, the Enterprises should apply the decision frameworks\n              consistently across their organizations.\n\n\n\n\n17\n     OFHEO established this policy in August 2007.\n\n          Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                       13\n\x0cOperational Risk Management Program Requirements Offer Important\nBenefits for FHFA\xe2\x80\x99s Examination Program and Its Delegated Approach to\nManaging the Conservatorships\n\nThe requirement that the Enterprises establish effective operational risk management programs is\nintended, in part, to assist safety and soundness examiners to carry out their responsibilities. For\nexample, an effective operational risk management program should enable FHFA examiners to\nidentify the highest operational risks within an Enterprise; assess its internal controls in those\nareas; and evaluate its plans to mitigate identified risks. The effective management of\noperational risk is integral to support Enterprise safety and soundness.\n\nFHFA-OIG also observes that the establishment of effective Enterprise operational risk\nmanagement programs is critical given FHFA\xe2\x80\x99s limited examination resources. As stated in a\nprevious FHFA-OIG report, FHFA faces significant examination staffing and capacity\nshortfalls.18 These shortfalls, which tend to limit FHFA\xe2\x80\x99s capacity to carry out its safety and\nsoundness regulatory responsibilities, may be mitigated by the Enterprises\xe2\x80\x99 ability to self-\nidentify, report, and correct key operational risks.\n\nFurther, FHFA-OIG believes that the establishment of effective operational risk management\nprograms is important to the success of FHFA\xe2\x80\x99s delegated approach to managing the Enterprises\xe2\x80\x99\nconservatorships. As their conservator, FHFA largely relies on the Enterprises to effectively\nmanage their own day-to-day operations and normal business activities.19\n\nFHFA Repeatedly Found that Fannie Mae Did Not Establish an Acceptable\nand Effective Operational Risk Management Program\nFHFA repeatedly concluded from 2006 through early 2011 that Fannie Mae did not establish an\nacceptable and effective operational risk management program. Despite the importance of such\na program, FHFA did not take adequate steps to compel Fannie Mae to establish an acceptable\nand effective program during that period.\n\nFHFA\xe2\x80\x99s predecessor agency, OFHEO, completed a special examination of Fannie Mae in 2006.\nIt identified significant concerns about Fannie Mae\xe2\x80\x99s risk management, financial reporting,\ninternal controls, and corporate governance. OFHEO found that Fannie Mae management placed\na higher priority on meeting specific earnings goals than it did on ensuring proper accounting,\nrisk management, internal controls, and complete and accurate financial reporting. Further,\n\n18\n  See FHFA-OIG, Federal Housing Finance Agency\xe2\x80\x99s Exit Strategy and Planning Process for Enterprises\xe2\x80\x99\nStructural Reform (EVL-2011-001, March 31, 2011).\n19\n The scope of this evaluation does not include assessing merits or results of FHFA\xe2\x80\x99s delegated approach to\nmanaging the Enterprises\xe2\x80\x99 conservatorships, and FHFA-OIG makes no conclusions on such approach in this report.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                      14\n\x0cOFHEO concluded that Fannie Mae avoided making the investments needed to develop systems\nand policies by which to ensure compliance with applicable accounting standards.\n\nTo address Fannie Mae\xe2\x80\x99s operational weaknesses and other\ndeficiencies noted in the special examination report, OFHEO                    Consent Order\nand the Enterprise entered into a Consent Order in May 2006.             is a type of formal agreement\nWith respect to operational risk management, the Consent                     intended to ensure that\n                                                                         appropriate corrective action\nOrder required that:\n                                                                                     is taken\n       \xef\x82\xb7   Fannie Mae shall maintain a Chief Risk Officer\n           (CRO). The CRO shall direct a risk management organization with responsibility for\n           overseeing risk management for financial and operational risk throughout Fannie\n           Mae. The CRO shall report directly to the Chief Financial Officer and independently\n           to the Risk Policy and Capital Committee of the Board; and\n\n       \xef\x82\xb7   Fannie Mae shall provide to OFHEO within 180 days of the Consent Order a plan for\n           the build out of the Enterprise\xe2\x80\x99s operational risk oversight function over the\n           succeeding three years. Fannie Mae shall move expeditiously to implement the plan.\n\nFannie Mae submitted to OFHEO an operational risk management program in November 2006,\nbut the Enterprise did not implement the plan.\n\nOn May 6, 2008, OFHEO terminated the 2006 Consent Order; however, Fannie Mae\xe2\x80\x99s obligation\nto establish and implement an operational risk management plan remained in place and was\nunaffected by the termination. Specifically, OFHEO\xe2\x80\x99s letter stated that it would continue to\nassess the implementation of Fannie Mae\xe2\x80\x99s operational risk management program over the\nsucceeding two years in accordance with the requirements set forth in the Consent Order.\nOFHEO added that Fannie Mae\xe2\x80\x99s operational risk management program would receive\nheightened focus via the examination process. In response, Fannie Mae acknowledged its\ncontinuing obligation to create and administer such a plan.\n\nNonetheless, throughout the years that followed Fannie Mae did not create an acceptable and\neffective plan and neither OFHEO nor FHFA used their considerable enforcement powers (nor\ndid FHFA use its broad conservatorship authority) to compel Fannie Mae to do so. FHFA\ndocumented Fannie Mae\xe2\x80\x99s non-compliance, as follows:\n\n   (a) FHFA\xe2\x80\x99s September 2008 Letter to Fannie Mae Identifying Deficiencies in Its\n       Operational Risk Management Program\n\nOn September 4, 2008, two days before placing Fannie Mae into conservatorship, FHFA sent\nFannie Mae a letter criticizing many aspects of its operations. FHFA stated that Fannie Mae\xe2\x80\x99s\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                   15\n\x0cinfrastructure, including its information technology systems, were inadequate, and that the\nEnterprise lacked the controls necessary to manage new products and their associated risks.\nFHFA also noted that Fannie Mae\xe2\x80\x99s operational risk management framework was not fully\nestablished.\n\n     (b) FHFA\xe2\x80\x99s 2008 Examination of Fannie Mae \xe2\x80\x93 Operational Risk Management\n         Findings\n\nIn its 2008 Report of Examination, FHFA rated Fannie Mae\xe2\x80\x99s operational risk management\noversight as a \xe2\x80\x9csignificant concern.\xe2\x80\x9d According to FHFA guidance, a \xe2\x80\x9csignificant concern\xe2\x80\x9d\nmeans that Fannie Mae\xe2\x80\x99s operational risk management program exhibited \xe2\x80\x9cmore than moderate\n\xe2\x80\xa6 weaknesses.\xe2\x80\x9d FHFA also found that it would take Fannie Mae a \xe2\x80\x9csignificant\xe2\x80\x9d amount of\nwork to create an acceptable program. Finally, FHFA cited changes in Fannie Mae\xe2\x80\x99s operational\nrisk management leadership as a factor contributing to delays in improving compliance in this\narea.\n\n     (c) FHFA\xe2\x80\x99s May 2009 Review of Fannie Mae and the Opening of Three MRAs\n         Pertaining to Operational Risk Management Deficiencies\n\nIn a May 2009 letter to Fannie Mae, FHFA again rated Fannie Mae\xe2\x80\x99s operational risk\nmanagement program a \xe2\x80\x9csignificant concern\xe2\x80\x9d and noted a number of weaknesses in it that\nundermined the Enterprise\xe2\x80\x99s capacity to identify and correct operational risks. FHFA further\nnoted that the board of directors and Enterprise senior management did not exercise effective\noversight of the program, the establishment of which was well behind the three-year schedule set\nforth in the 2006 Consent Order.\n\nOn the basis of the 2009 review, FHFA opened three MRAs concerning Fannie Mae\xe2\x80\x99s\noperational risk management program. The first MRA required Fannie Mae to strengthen its\noperational risk management governance and oversight, the second required it to develop an\noperational risk management program, and the third required it to implement the program.20\n\nFHFA also opened a fourth MRA pertaining to the frequency of operational reporting in a July\n2009 letter to Fannie Mae. FHFA officials said that they closed this MRA in December 2010\nbecause Fannie Mae was \xe2\x80\x9ctechnically\xe2\x80\x9d in compliance with it. Specifically, FHFA said that\nFannie Mae had increased the reporting of operational risks to its board of directors, but that the\nquality of its reporting required improvement.\n\n\n\n20\n  FHFA policy states that MRAs are issues of supervisory concern that warrant special attention by the Enterprise\nto ensure that corrective action is appropriately planned and executed. FHFA policy also states that the Agency will\nfollow-up on MRAs to ensure that the Enterprises\xe2\x80\x99 responses are appropriate, timely, and effective.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                        16\n\x0c     (d) FHFA\xe2\x80\x99s Fourth Quarter 2009 Analysis of Fannie Mae\xe2\x80\x99s Operational Risk Oversight\n         Deficiencies\n\nOn December 15, 2009, FHFA issued its fourth quarter 2009 analysis of Fannie Mae\xe2\x80\x99s\noperational risk oversight, which resulted in the Agency increasing its level of concern from\n\xe2\x80\x9csignificant\xe2\x80\x9d to \xe2\x80\x9ccritical\xe2\x80\x9d \xe2\x80\x93 the most severe rating. FHFA concluded that Fannie Mae had failed\nto develop an operational risk management program within three years as required by the 2006\nConsent Order. The Agency also identified a number of weaknesses in Fannie Mae\xe2\x80\x99s operational\nrisk governance and design, and it noted that Fannie Mae\xe2\x80\x99s management had been slow to\nrecognize these weaknesses. Consequently, FHFA determined that Fannie Mae was not in\ncompliance with the three MRAs pertaining to operational risk deficiencies.\n\n     (e) FHFA\xe2\x80\x99s 2009 Report of Examination of Fannie Mae Identifying Ongoing\n         Operational Risk Management Deficiencies\n\nIn its 2009 Report of Examination, FHFA again rated Fannie Mae\xe2\x80\x99s operational risk oversight as\na \xe2\x80\x9cCritical Concern.\xe2\x80\x9d The examiners determined that Fannie Mae still had not established an\nacceptable and effective operational risk management program. Specifically, the examiners\nfound that the Enterprise\xe2\x80\x99s efforts to improve its operational risk management were only in the\nearly stages of development.21\n\n     (f) FHFA\xe2\x80\x99s September 8, 2010, Non-Compliance Letter Regarding the Three 2009\n         MRAs Pertaining to Operational Risk\n\nOn September 8, 2010, FHFA issued a non-compliance letter to Fannie Mae advising that the\nthree operational risk MRAs issued after the Agency\xe2\x80\x99s May 2009 review remained open.\nFurther, FHFA concluded that the third MRA (Operational Risk Management Program\nImplementation) \xe2\x80\x9cwill remain open until Fannie Mae effectively demonstrates that the\noperational risk management tools are influencing and affecting the behavior of Fannie Mae\nmanagers and employees.\xe2\x80\x9d\n\n     (g) FHFA\xe2\x80\x99s 2010 Report of Examination of Fannie Mae Again Rating Operational Risk\n         as a \xe2\x80\x9cCritical Concern\xe2\x80\x9d and Noting the Enterprise\xe2\x80\x99s Non-Compliance with\n         OFHEO\xe2\x80\x99s 2006 Consent Order\n\nFHFA\xe2\x80\x99s 2010 Report of Examination issued on April 1, 2011, again rated Fannie Mae\xe2\x80\x99s\noperational risk oversight as a \xe2\x80\x9cCritical Concern.\xe2\x80\x9d The report found, among other things, that\nFannie Mae had not developed an acceptable operational risk management program as required\nby the 2006 Consent Order and the three MRAs. FHFA concluded that Fannie Mae had not\n21\n  Fannie Mae responded to the examiners that it expected to have its operational risk management program in place\nby the end of 2010, but it ultimately failed to meet this deadline.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                       17\n\x0cdemonstrated the ability to comply with Agency guidance on developing an operational risk\nmanagement program.\n\n     (h) FHFA Stating that Fannie Mae Has Made Recent Improvements in Developing an\n         Operational Risk Management Program, but the Program\xe2\x80\x99s Full Implementation Is\n         Not Expected Until the End of the First Quarter of 2012\n\nAlthough a first quarter 2011 FHFA analysis continued to rate Fannie Mae\xe2\x80\x99s operational risk\nmanagement program as a \xe2\x80\x9cCritical Concern,\xe2\x80\x9d 22 Agency officials stated that the Enterprise has\nrecently taken steps toward developing an acceptable program. These steps involve developing a\nbasic framework that includes executive leadership, an operational risk reporting framework, and\ndedicated resources. FHFA officials also stated that Fannie Mae reports operational incidents on\na quarterly basis pursuant to established requirements.23\n\nFHFA officials also said that the Agency has taken steps to ensure that Fannie Mae has improved\nits development and implementation of an operational risk management program. In particular,\nFHFA officials said that they have kept open the three MRAs pertaining to Fannie Mae\xe2\x80\x99s\noperational risk management program as a means to persuade Fannie Mae\xe2\x80\x99s board of directors\nand senior managers to develop and implement an acceptable and effective operational risk\nmanagement program. FHFA officials added that they have held meetings with Fannie Mae to\nstress the importance of an acceptable and effective operational risk management program.\nFHFA-OIG, however, does not believe that FHFA\xe2\x80\x99s supervisory strategy of maintaining open\nMRAs, which have been unresolved for years, has been demonstrated to be an effective means to\nensure Fannie Mae\xe2\x80\x99s implementation of an acceptable and effective operational risk program.\n\nFHFA officials added that they will continue to monitor closely Fannie Mae\xe2\x80\x99s implementation of\nits risk management program and expect it to be completed no later than the first quarter of 2012.\nFHFA officials also said that, given the importance of Enterprise operational risk management\nprograms, the Agency and Fannie Mae will act decisively if the Enterprise fails to implement its\nprogram on schedule.\n\n\n\n\n22\n  FHFA officials also said that Fannie Mae \xe2\x80\x9chad not developed all the fundamentals of a successful, mature\noperational risk program\xe2\x80\x9d and, as a result, the Enterprise did not \xe2\x80\x9cprovide senior management and the Board of\nDirectors with actionable information on the operational risks facing [it].\xe2\x80\x9d See Division of Enterprise Regulation\nMemorandum to File, dated March 31, 2011.\n23\n  Moreover, FHFA officials said that Fannie Mae had made significant improvements with respect to mitigating\noperational risks associated with information security, data management, information technology infrastructure, and\nrelated operational incidents.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                         18\n\x0cFINDINGS\nFHFA-OIG finds that:\n\n       1. FHFA Repeatedly Found that Fannie Mae Had Not Developed an\n          Acceptable and Effective Operational Risk Management Program,\n          but FHFA Did Not Take Decisive Steps to Ensure Compliance by the\n          Enterprise\n\nFrom 2006 through early 2011, FHFA \xe2\x80\x93 and its predecessor, OFHEO \xe2\x80\x93 repeatedly found that\nFannie Mae had not established an acceptable and effective operational risk management\nprogram, despite outstanding requirements to do so as reflected in the timeline contained in\nFigure 1, below.\n\nFigure 1: Timeline Regarding FHFA\xe2\x80\x99s Identification of Operational Risk Management\nDeficiencies at Fannie Mae\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                   19\n\x0cDespite these ongoing findings over a five year period, neither FHFA nor OFHEO took decisive\nsteps to ensure compliance. For instance, as the Enterprises\xe2\x80\x99 conservator, FHFA has broad\nauthority to control and direct the Enterprises\xe2\x80\x99 operations, including removing and replacing\npersonnel. As regulator, FHFA may issue cease and desist orders and levy fines to ensure\ncompliance with Agency mandates. To date, however, the Agency has not exercised any of\nthese authorities.24 Rather, FHFA relied upon less forceful supervisory measures, such as issuing\nMRAs, which have not proven to be effective.\n\n         2. Foreclosure Processing Abuses in Florida and Elsewhere Illustrate\n            the Potential Negative Consequences of Fannie Mae\xe2\x80\x99s Failure to\n            Establish an Effective Operational Risk Management Program\n\nFannie Mae\xe2\x80\x99s lack of an acceptable and effective operational risk management program may\nhave resulted in missed opportunities to identify and correct timely weaknesses in the\nEnterprise\xe2\x80\x99s oversight of law firms in its Retained Attorney Network. Some of these law firms\nallegedly filed false documents and engaged in other foreclosure processing abuses in Florida\nand elsewhere. For example, in 2005, Fannie Mae hired an outside law firm to investigate a\nvariety of allegations referred by one of its investors regarding purported foreclosure processing\nabuses and other matters. In May 2006, the law firm issued a report of investigation in which it\nfound that certain law firms that represented Fannie Mae in foreclosures filed false documents in\nforeclosure proceedings in Florida and elsewhere. The report referred to such practices as\n\xe2\x80\x9cunlawful\xe2\x80\x9d and stated that they were unauthorized by Fannie Mae and should be stopped.\n\nFurther, the report observed that Fannie Mae did not take steps to ensure the quality of its\nforeclosure attorneys\xe2\x80\x99 conduct, the legal positions taken in the attorneys\xe2\x80\x99 pleadings, or the\nmanner in which the attorneys processed foreclosures on the Enterprise\xe2\x80\x99s behalf.\n\nThe report noted that Fannie Mae was developing a computer\nsystem to improve communication within its attorney network                          Operational Risk\nand more effectively monitor the conduct of its counsel.25                             is exposure to loss\n                                                                                   resulting from inadequate\nBut the report also noted that the development and                                or failed internal processes,\nimplementation of the computer system was not expected                                people, and systems,\nto be completed in the near-term.                                                   or from external events\n                                                                                    (including legal events)\n\n\n\n24\n  FHFA officials advised FHFA-OIG that FHFA is not inclined to issue cease and desist orders and levy fines when\nthe Enterprises are in conservatorship.\n25\n  Fannie Mae officials told FHFA-OIG that they had initiated other corrective actions in response to the internal\nreport\xe2\x80\x99s conclusions, including initiating teleconferences with law firm officials on appropriate foreclosure\nprocessing steps and conducting relevant training at mortgage industry trade shows.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                         20\n\x0cIn late 2010, FHFA initiated a special review of Fannie Mae\xe2\x80\x99s oversight of its attorney network;\nand in early 2011 preliminarily concluded that the Enterprise\xe2\x80\x99s controls over the network were\ninadequate. FHFA specifically noted that Fannie Mae was alerted in May 2006 by the internal\nreport that some of its foreclosure attorneys were sacrificing accuracy for speed, i.e., filing false\ndocuments in foreclosure proceedings. FHFA also stated that it had found no evidence that\nFannie Mae\xe2\x80\x99s receipt of this information caused the Enterprise to make any improvements in its\noversight of its law firms. Further, FHFA found that Fannie Mae never developed and\nimplemented the computer system that was identified in the 2006 internal report as a potential\nmeans to improve its oversight of the law firms. Consequently, this evidence from FHFA\xe2\x80\x99s\nreview suggests that Fannie Mae did not take sufficient steps in response to the 2006 report to\nmitigate the operational risks associated with its foreclosure processing attorney network.\n\nFHFA-OIG cannot establish whether Fannie Mac complied with another key requirement of an\noperational risk management program: notifying its regulator of the 2006 report or submitting it\nto the regulator. Fannie Mae officials claim that they informed an OFHEO senior official of the\nreport during a telephone conversation in 2006, but they have no record of the communication.\nThe OFHEO official, who now works for FHFA, has no records or recollection of the\nconversation. In any event, neither Fannie Mae nor its regulator acted on the 2006 report, and\nFHFA examination officials informed FHFA-OIG that they did not learn of the 2006 report until\nafter it was disclosed in a March 2011 newspaper article.\n\nIn summary, FHFA-OIG views the circumstances surrounding Fannie Mae\xe2\x80\x99s 2006 report on\nforeclosure processing abuses as a missed opportunity to address an important operational risk at\nan early stage. Per FHFA\xe2\x80\x99s guidance, one of the essential elements of an operational risk\nprogram is the Enterprise\xe2\x80\x99s development of strategies to correct identified operational risks.\nFHFA\xe2\x80\x99s preliminary 2011 examination findings indicate that, after learning of its attorneys\xe2\x80\x99\nmisconduct in 2006, Fannie Mae did not develop and implement a strategy to improve its\noversight of this portion of its operation. FHFA further concluded that Fannie Mae did not\ndeploy the computer system that was intended to enhance its attorney oversight. Moreover, if\nOFHEO or FHFA had received Fannie Mae\xe2\x80\x99s 2006 report, as would be consistent with\noperational risk guidance, then the regulators might have been in a position to assess the risks\ninvolved, determine whether Freddie Mac\xe2\x80\x99s attorneys engaged in similar practices (as turned out\nto be the case), and ensured that the Enterprises took actions to better oversee their attorneys and\npossibly prevent foreclosure processing abuses.\n\n\n\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                    21\n\x0c        3. FHFA Must Ensure that Fannie Mae Fully Implements Its\n           Operational Risk Management Program\n\nA first quarter 2011 FHFA review of Fannie Mae\xe2\x80\x99s operational risk management program\ncontinued to classify it as a \xe2\x80\x9ccritical concern.\xe2\x80\x9d However, FHFA officials told FHFA-OIG that\nFannie Mae has taken positive steps in 2011 to implement an acceptable program. The FHFA\nofficials said that Fannie Mae has new senior officers responsible for operational risk\nmanagement and that they have developed a new management program. FHFA officials also\nsaid that FHFA has closely monitored Fannie Mae\xe2\x80\x99s progress and that under Fannie Mae\xe2\x80\x99s\nschedule its program should be in place no later than the end of the first quarter of 2012.\n\nFurther, FHFA officials also said that, given the importance of Enterprise operational risk\nmanagement programs, the Agency will act in a decisive fashion if Fannie Mae fails to\nimplement its program on schedule.26 FHFA-OIG believes that, as Fannie Mae\xe2\x80\x99s conservator\nand regulator, FHFA must closely monitor Fannie Mae\xe2\x80\x99s progress and take decisive action if\nnecessary. Given Fannie Mae\xe2\x80\x99s five-year history of noncompliance, there is good reason to\nquestion whether Fannie Mae will meet its first quarter 2012 deadline. If it fails to do so, FHFA\nshould penalize Fannie Mae and its officers for their nonfeasance.\n\n\n\n\n26\n  FHFA\xe2\x80\x99s General Counsel said that if Fannie Mae does not implement its program, the Agency could employ its\nconservatorship authorities under HERA to control and direct Fannie Mae\xe2\x80\x99s operations, as opposed to its formal\nregulatory enforcement authorities, such as civil money penalties. The General Counsel noted that as Fannie Mae\xe2\x80\x99s\nconservator FHFA could remove and replace culpable risk officials, or more likely direct Fannie Mae\xe2\x80\x99s board of\ndirectors to do so.\n\n        Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                       22\n\x0cCONCLUSION\nFHFA and its predecessor have tolerated five years of delay by Fannie Mae, which has been\nunder directives to establish and implement an acceptable and effective operational risk\nmanagement program. FHFA possesses the authority through a variety of mechanisms to\nenforce its directives. However, to date, FHFA has not taken decisive action to compel the\nEnterprise\xe2\x80\x99s compliance. Fannie Mae\xe2\x80\x99s lack of such a program creates potentially significant\nrisks for Fannie Mae and FHFA.\n\n\n\n\nRECOMMENDATIONS\nFHFA-OIG recommends that FHFA:\n\n       \xef\x82\xb7   Closely monitor Fannie Mae\xe2\x80\x99s implementation of its operational risk management\n           program;\n\n       \xef\x82\xb7   Take decisive and timely actions to ensure the implementation of the program if\n           Fannie Mae fails to establish an acceptable and effective operational risk program by\n           the end of the first quarter 2012; and\n\n       \xef\x82\xb7   Ensure that Fannie Mae has qualified personnel in place to ensure continuing\n           compliance with its operational risk management program.\n\n\n\n\n      Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                   23\n\x0cSCOPE AND METHODOLOGY\nThe objective of this evaluation was to assess FHFA\xe2\x80\x99s oversight of Fannie Mae\xe2\x80\x99s efforts to\ndevelop an acceptable operational risk management program.\n\nTo address these objectives, FHFA-OIG staff reviewed FHFA and OFHEO Guidance pertaining\nto the development of operational risk management programs as well as a May 2006 Consent\nOrder between Fannie Mae and OFHEO. Further, FHFA-OIG reviewed FHFA examination\nreports and other related documentation for the period covered in the evaluation.\n\nAdditionally, FHFA-OIG staff interviewed senior officials within FHFA responsible for\nmonitoring and examining Fannie Mae\xe2\x80\x99s operational risk program. FHFA-OIG officials also\nspoke with senior Fannie Mae officials regarding a 2006 report prepared for the Enterprise on its\noversight of attorneys who conduct foreclosures on its behalf and foreclosure processing\npractices in Florida and elsewhere. FHFA-OIG staff analyzed the extent to which Fannie Mae\xe2\x80\x99s\nfailure to establish an operational risk management program was illustrated by the circumstances\nsurrounding the Enterprise\xe2\x80\x99s 2006 internal report.\n\nThis evaluation was conducted under the authority of the Inspector General Act and in\naccordance with the Quality Standards for Inspection and Evaluation (January 2011), which was\npromulgated by the Council of Inspectors General on Integrity and Efficiency. These standards\nrequire FHFA-OIG to plan and perform an evaluation that obtains evidence sufficient to provide\nreasonable bases to support the findings and recommendations made herein. FHFA-OIG trusts\nthat the findings and recommendations discussed in this report meet these standards.\n\nThe performance period for this evaluation was from February 2011 to September 2011.\n\nFHFA-OIG provided FHFA staff with briefings and presentations concerning the results of its\nfieldwork and provided FHFA an opportunity to respond to a draft report of this evaluation.\nFHFA\xe2\x80\x99s comments on FHFA-OIG\xe2\x80\x99s draft report are reprinted in their entirety at Appendix A.\n\nFHFA-OIG appreciates the efforts of FHFA and Fannie Mae management and staff in providing\ninformation and access to necessary documents to accomplish this evaluation.\n\n\n\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                    24\n\x0cAPPENDIX A\nFHFA\xe2\x80\x99S Comments on Findings and Recommendation\n\n\n\n\n     Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                  25\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                             26\n\x0cFederal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                             27\n\x0cAPPENDIX B\nFHFA-OIG\xe2\x80\x99S Response to FHFA\xe2\x80\x99S Comments\n\nFHFA-OIG is pleased that FHFA generally agrees with the report\xe2\x80\x99s recommendations to:\n\n       \xef\x82\xb7   Closely monitor Fannie Mae\xe2\x80\x99s implementation of its operational risk management\n           program;\n\n       \xef\x82\xb7   Take decisive and timely actions to ensure the implementation of the program if\n           Fannie Mae fails to establish an acceptable and effective operational risk management\n           program by the end of the first quarter of 2012; and\n\n       \xef\x82\xb7   Ensure that Fannie Mae has qualified personnel in place to ensure continuing\n           compliance with its operational risk management program.\n\nBut FHFA states that the draft report\xe2\x80\x99s characterization of the Agency\xe2\x80\x99s oversight efforts and\nFannie Mae\xe2\x80\x99s operational risk management program do not fully reflect all the facts and the\ncontext.\n\n   1. FHFA disputes FHFA-OIG\xe2\x80\x99s finding that FHFA did not take decisive steps to ensure that\n      Fannie Mae established an acceptable and effective operational risk management\n      program. Further, FHFA states that it has extensive conservatorship authorities and that\n      it does not believe that cease and desist orders or fines, as suggested in the report, would\n      produce better results.\n\n       FHFA-OIG revised the draft report to reflect some of FHFA\xe2\x80\x99s concerns, but stands\n       behind its assertions that the Agency did not take decisive action to compel Fannie Mae\n       to establish an acceptable and effective operations risk program. By May 2009, Fannie\n       Mae was in substantial non-compliance with the May 2006 OFHEO Consent Order under\n       which it was required to establish an operational risk management program within three\n       years. Rather than use its extensive conservatorship or regulatory powers at that point\n       (for example, FHFA could have directed Fannie Mae to discipline or remove employees\n       for non-compliance), FHFA chose a less forceful supervisory approach, which included\n       opening MRAs and using them as a means to \xe2\x80\x9ccompel\xe2\x80\x9d Fannie Mae to develop an\n       acceptable and effective program. Nevertheless, more than two years later, Fannie Mae\n       has yet to comply. Further, it remains to be seen whether Fannie Mae will meet FHFA\xe2\x80\x99s\n       expectations of having an acceptable and effective operational risk management program\n       in place by the end of the first quarter of 2012 \xe2\x80\x93 six years after FHFA\xe2\x80\x99s predecessor\n       commenced efforts to gain Fannie Mae\xe2\x80\x99s compliance.\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                    28\n\x0c2. FHFA disagrees with FHFA-OIG\xe2\x80\x99s finding that foreclosure abuses in Florida and\n   elsewhere illustrate the potential negative consequences of Fannie Mae\xe2\x80\x99s failure to\n   establish an acceptable and effective operational risk management program.\n\n   FHFA-OIG revised the draft report text to state that Fannie Mae\xe2\x80\x99s lack of an acceptable\n   and effective operational risk management program may have resulted in missed\n   opportunities to correct the Enterprise\xe2\x80\x99s weak oversight of its Retained Attorney\n   Network. In this regard, FHFA-OIG reiterates that FHFA\xe2\x80\x99s special review of Fannie\n   Mae\xe2\x80\x99s oversight of the attorney network concluded that Fannie Mae did not act on\n   information contained in its 2006 internal report, which found that law firms in Florida\n   and elsewhere were sacrificing accuracy for speed (i.e., filing false documents in\n   foreclosure proceedings) and that its oversight of the firms\xe2\x80\x99 litigation practices were\n   weak. FHFA-OIG contends that strengthened law firm oversight by Fannie Mae could\n   have detected \xe2\x80\x93 if not prevented \xe2\x80\x93 these abuses by attorneys.\n\n3. FHFA disputes FHFA-OIG\xe2\x80\x99s finding that it must ensure that Fannie Mae implement an\n   operational risk management program. FHFA states the draft report could lead readers to\n   conclude that Fannie Mae did not have an operational risk program in place for years\n   when, in fact, executive leadership, extensive reporting, and dedicated resources were in\n   place.\n\n   FHFA-OIG added the phrase \xe2\x80\x9cacceptable and effective\xe2\x80\x9d before \xe2\x80\x9coperational risk\n   program\xe2\x80\x9d throughout the report, as appropriate.\n\n\n\n\n   Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                29\n\x0cADDITIONAL INFORMATION AND COPIES\n\n\nFor additional copies of this report:\n\n       \xef\x82\xb7   Call the Office of Inspector General (OIG) at: 202-408-2544\n\n       \xef\x82\xb7   Fax your request to: 202-445-2075\n\n       \xef\x82\xb7   Visit the OIG website at: www.fhfaoig.gov\n\n\n\nTo report alleged fraud, waste, abuse, mismanagement, or any other kind of criminal or\nnoncriminal misconduct relative to FHFA\xe2\x80\x99s programs or operations:\n\n       \xef\x82\xb7   Call our Hotline at: 1-800-793-7724\n\n       \xef\x82\xb7   Fax us the complaint directly to: 202-445-2075\n\n       \xef\x82\xb7   E-mail us at: oighotline@fhfa.gov\n\n       \xef\x82\xb7   Write to us at:    FHFA Office of Inspector General\n                              Attn: Office of Investigation \xe2\x80\x93 Hotline\n                              1625 Eye Street, NW\n                              Washington, DC 20006-4001\n\n\n\n\n       Federal Housing Finance Agency Office of Inspector General \xe2\x80\xa2 EVL-2011-004 \xe2\x80\xa2 September 23, 2011\n                                                    30\n\x0c'